[openssl-users] 'FIPS_CIPHERINIT:disabled' in fips mode error in 1.0.1e

jonetsu jonetsu at teksavvy.com
Mon Oct 26 20:44:59 UTC 2015


In 1.0.1e the following is observed when using OpenSSL in FIPS mode:


 % OPENSSL_FIPS=1 openssl pkcs12 -export -in
 /tmp/ipsec.d/certs/192.168.11.1 -inkey
 /tmp/ipsec.d/private/192.168.11.1 -name 192.168.11.1 -out
 /tmp/ipsec.d/192.168.11.1.p12 -password pass:""


 3067167952:error:060A60A3:digital envelope 
 routines:FIPS_CIPHERINIT:disabled for fips:fips_enc.c:142:
 3067167952:error:06074078:digital envelope


 routines:EVP_PBE_CipherInit:keygen failure:evp_pbe.c:205:
 3067167952:error:23077073:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 algor


 cipherinit error:p12_decr.c:83:
 3067167952:error:2306C067:PKCS12


 routines:PKCS12_item_i2d_encrypt:encrypt error:p12_decr.c:175:
 3067167952:error:23073067:PKCS12 routines:PKCS12_pack_p7encdata:encrypt 
 error:p12_add.c:202:


In 'Re: PKCS12 keystore creation failing in fips mode' (May 29,
2013 9:15pm) the following is said:


  "That's a bug in 1.0.1 in that it tries to use an unapproved
  algorithm in FIPS mode.  Workaround: use the -descert option."


It is not possible for us to upgrade OpenSSL, but it would be
possible to apply a patch.  Does a patch exist that fixes this
problem and if so, where can it be found ?  I do not know how
development is organized for OpenSSL (bug tracker, git ?)


Thanks !






More information about the openssl-users mailing list